2

I'm searching for a way to prevent my system users to sudo into the root account in any way.

I don't mean logging to the root user by SSH, but specifically by sudoing ( sudo -s ) ( sudo su ) etc.

Any suggestions?

(Expect white listing specific commands by sudoers file )

Thanks!

Thats what i want to prevent. when user uses "sudo -s" he will not be able to use the "root" user

ayali
  • 21
  • 1
  • 3
  • Do you still want users to be able to use sudo to act as other non-root users? – Kusalananda Oct 02 '19 at 13:11
  • Yes, The users have sudo access to run privileged commands. the idea behind disabling sudo into root user is to find suspicous activities.when you implement your employees the idea of using sudo for every command, suspicious activity can be easier to find :) – ayali Oct 02 '19 at 13:24
  • 1
    Ah, so you're talking about being able to start an interactive root shell, only. – Kusalananda Oct 02 '19 at 13:26
  • I found this one : http://makeitcompliant.blogspot.com/2012/06/restricting-root-shell-and-root-user.html that is actually my question "Users often drop to a root shell to avoid typing sudo before any command. Dropping to a root shell is usually done doing su -, sudo –i, sudo –s, sudo bash etc." what i want is to prevent my users from dropping into the "root" shell. the example on this website is not working. any suggetions? – ayali Oct 03 '19 at 11:08

4 Answers4

5

Once you define the sudoers specification with the 'ALL' keyword in the commands field, there is no way to effectively prevent the execution of a specific command or set of commands. The sudoers manual explains this in a straightforward manner:

Limitations of the ‘!’ operator

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:

bill ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in the user specification.

The only way to avoid the scenario described above is to have a list of allowed commands that the user can execute, i.e. a whitelist.

Haxiel
  • 8,361
1

That is not possible, because there is always a way to act as root as long as you do not white list specific commands in the sudoers file.

If you don't mind disabling the root login shell completely, you could disable the user shell.

It would still be possible for any sudo user to undo this of course.

Seamus
  • 2,925
eike
  • 498
  • 1
    using this method disables SSH access but no preventing users from using " sudo -s" to su into the root user – ayali Oct 03 '19 at 10:07
0

Remove the users from the sudo group and create a new group, say, restricted.

Then, in /etc/sudoers (or better yet, in a file under /etc/sudoers.d) you add something like this:

%restricted ALL=NOPASSWD: /usr/bin/command1,/etc/init.d/command2 restart

The users in that group will only be able to run those commands.

Toby Speight
  • 8,678
Eduardo Trápani
  • 12,834
  • Hi, That was not my question :) – ayali Oct 02 '19 at 14:09
  • You're right. Sorry. – Eduardo Trápani Oct 02 '19 at 14:27
  • This new answer might solve it. – Eduardo Trápani Oct 02 '19 at 14:36
  • /usr/bin/rsync? Hopefully you won't be surprised when someone you gave the ability to run rsync as root to uses that to get full root privileges. "Gee, I have root rsync!!!! I can copy /etc/shadow out, change or remove the root password, and copy it back!" – Andrew Henle Oct 02 '19 at 14:47
  • @AndrewHenle that is not an actual entry. But I'll edit it so as to not distract people from the actual solution. – Eduardo Trápani Oct 02 '19 at 14:50
  • Guys i think that you have not got the point, i didn't say that there is no way of breaking out of this "jail" or whatever we call that, but i just say that if every user will know that this is disabled, when attacker will come and try to sudo into the root user, i will have an alert for this(already have a rule for that), but i cannot go to each user and tell them" dont sudo into root" because that will take years. – ayali Oct 03 '19 at 10:09
-1

I was looking for the same so this is what I tried and worked

Created a group called admin and then added admin group to etc/sudoers

## Allows people in group wheel to run all commands
admin ALL=(ALL)ALL, !SHELLS, !SU
%wheel  ALL=(ALL)       ALL

usermod -aG admin u3


usermod -aG wheel u3


su - u3


[u3@localhost ~]$ yum install something
Loaded plugins: product-id, search-disabled-repos, subscription-manager
You need to be root to perform this command.


[u3@localhost ~]$ sudo yum install something
Loaded plugins: product-id, search-disabled-repos, subscription-manager

So the user u3 has the root power since added to the wheel group but it will not get root shell so sysadmin will know what u3 has been done with the sudo/root privilege.

Greenonline
  • 1,851
  • 7
  • 17
  • 23
LinuxDude
  • 1
  • Any user in your admin group can get a shell. If you read some of the other answers to this question they explain why your suggestion is flawed - as does the man page itself – Chris Davies Mar 19 '22 at 08:02